allow init tmpfs:dir relabelfrom

When encrypting a device, or when an encrypted device boots, a tmpfs is mounted in place of /data, so that a pseudo filesystem exists to start system_server and related components. SELinux labels need to be applied to that tmpfs /data so the system boots properly. Allow init to relabel a tmpfs /data. Addresses the following denial: [ 6.294896] type=1400 audit(29413651.850:4): avc: denied { relabelfrom } for pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir Steps to reproduce: 1) Go into Settings > Security > Encrypt Phone 2) Encrypt phone 3) See denial 4) reboot phone 5) See denial on boot Bug: 19050686 Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41

allow init tmpfs:dir relabelfrom
543faccc · Nick Kralevich · a4b82264 · 543faccc
Commit 543faccc authored 10 years ago by Nick Kralevich
--- a/init.te
+++ b/init.te
@@ -46,6 +46,9 @@ allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
 allow init cpuctl_device:dir { create mounton };

+# Use tmpfs as /data, used for booting when /data is encrypted
+allow init tmpfs:dir relabelfrom;
+
 # Create directories under /dev/cpuctl after chowning it to system.
 allow init self:capability dac_override;